The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SLES

vulnerability note CVE-2015-3456

QEMU, Xen: privilege escalation via the emulated floppy disk drive, VENOM

Synthesis of the vulnerability

A local attacker can trigger a buffer overflow attack in the emulated floppy disk controller of QEMU, in order to escalate his privileges.
Impacted products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, JUNOS, openSUSE, oVirt, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, Xen.
Severity: 2/4.
Creation date: 13/05/2015.
Identifiers: CERTFR-2015-AVI-224, CERTFR-2015-AVI-286, CTX201078, CVE-2015-3456, DSA-3259-1, DSA-3262-1, DSA-3274-1, FEDORA-2015-8248, FEDORA-2015-8249, FEDORA-2015-8252, FEDORA-2015-8270, FEDORA-2015-9601, JSA10693, openSUSE-SU-2015:0893-1, openSUSE-SU-2015:0894-1, openSUSE-SU-2015:0983-1, openSUSE-SU-2015:1092-1, openSUSE-SU-2015:1094-1, openSUSE-SU-2015:1400-1, RHSA-2015:0998-01, RHSA-2015:0999-01, RHSA-2015:1000-01, RHSA-2015:1001-01, RHSA-2015:1002-01, RHSA-2015:1003-01, RHSA-2015:1004-01, RHSA-2015:1011-01, RHSA-2015:1031-01, SOL16620, SUSE-SU-2015:0889-1, SUSE-SU-2015:0889-2, SUSE-SU-2015:0896-1, SUSE-SU-2015:0923-1, SUSE-SU-2015:0927-1, SUSE-SU-2015:0929-1, SUSE-SU-2015:0940-1, SUSE-SU-2015:0943-1, SUSE-SU-2015:0944-1, USN-2608-1, VENOM, VIGILANCE-VUL-16904, XSA-133.

Description of the vulnerability

The Xen product can emulate a floppy drive with QEMU.

However, several fdctrl_*() functions of the hw/fdc.c file of QEMU do not check the index of an array.

A local attacker can therefore trigger a buffer overflow attack in the emulated floppy disk controller of QEMU, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-7575

GnuTLS: accepting a MD5 signature

Synthesis of the vulnerability

An attacker, who can generate a signature on the fly (unlikely), can use a weak algorithm (MD5) with applications linked to GnuTLS, in order to act as a Man-in-the-Middle.
Impacted products: Debian, Fedora, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 05/05/2015.
Identifiers: CVE-2015-7575, DSA-3437-1, FEDORA-2015-7942, GNUTLS-SA-2015-2, openSUSE-SU-2015:1372-1, RHSA-2016:0012-01, SLOTH, SSA:2015-233-01, SSA:2016-254-01, SUSE-SU-2016:0256-1, USN-2865-1, VIGILANCE-VUL-16813.

Description of the vulnerability

The GnuTLS library implements the support of the TLS 1.2 algorithm. In this version, the application can choose any combination of signature and hash algorithms.

When a TLS client receives a ServerKeyExchange message, it has to check if the algorithms chosen by the server match its security policy. Likewise, when a TLS server receives a ClientCertificateVerify message, it has to check if the algorithms chosen by the client match its security policy.

However, GnuTLS accepts MD5 signatures in any case.

This vulnerability has the same origin than VIGILANCE-VUL-18586.

An attacker, who can generate a signature on the fly (unlikely), can therefore use a weak algorithm (MD5) with applications linked to GnuTLS, in order to act as a Man-in-the-Middle.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-3636

Linux kernel: use after free via ping_unhash

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 04/05/2015.
Identifiers: CERTFR-2015-AVI-254, CERTFR-2015-AVI-261, CERTFR-2015-AVI-328, CERTFR-2015-AVI-357, CVE-2015-3636, DSA-3290-1, FEDORA-2015-7736, FEDORA-2015-8518, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1221-01, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, RHSA-2015:1583-01, RHSA-2015:1643-01, SOL17246, SUSE-SU-2015:1071-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2631-1, USN-2632-1, USN-2633-1, USN-2634-1, USN-2635-1, USN-2636-1, USN-2637-1, USN-2638-1, VIGILANCE-VUL-16801.

Description of the vulnerability

The Linux kernel supports sockets of type ping:
  socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
The access to these sockets is usually restricted.

However, if the user disconnects, and the connects the socket, the ping_unhash() function frees a memory area before reusing it.

A local attacker can therefore force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-2783 CVE-2015-3329 CVE-2015-3330

PHP 5.6: eleven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.6.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, openSUSE, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 17/04/2015.
Revisions dates: 17/04/2015, 30/04/2015.
Identifiers: 66550, 68819, 69152, 69218, 69227, 69316, 69324, 69337, 69353, 69441, bulletinjul2015, c04686230, CVE-2015-2783, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, CVE-2015-4604, CVE-2015-4605, DSA-3280-1, FEDORA-2015-6407, HPSBUX03337, openSUSE-SU-2015:0855-1, openSUSE-SU-2015:1197-1, RHSA-2015:1135-01, RHSA-2015:1187-01, RHSA-2015:1218-01, SOL17028, SOL17061, SSRT102066, SUSE-SU-2015:0868-1, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16647.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.6.

An attacker can use a type error in exception::getTraceAsString, in order to obtain sensitive information. [severity:2/4; 69152, CVE-2015-4599]

An attacker can generate a memory corruption in php_stream_url_wrap_http_ex, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69337]

An attacker can use the null character, in order to access to other files. [severity:2/4; 69353, CVE-2015-3411, CVE-2015-3412]

An attacker can use apache2handler, in order to execute code. [severity:3/4; 69218, CVE-2015-3330]

An attacker can force the usage of a freed memory area in php_curl, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69316]

An attacker can force a read at an invalid address in Phar, in order to trigger a denial of service. [severity:2/4; 69324, CVE-2015-2783]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

An attacker can force the usage of a freed memory area in zval_scan, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69227]

An attacker can force the usage of a freed memory area in SQLite, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 66550]

An attacker can use a type error in SoapFault unserialize(), in order to obtain sensitive information. [severity:2/4; CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603]

An attacker can trigger a fatal error in Fileinfo, in order to trigger a denial of service. [severity:2/4; 68819, CVE-2015-4604, CVE-2015-4605]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-3152

MySQL: Man-in-the-Middle of TLS

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle when the MySQL client asks for a TLS session, in order to read or alter exchanged data.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, MySQL Community, MySQL Enterprise, openSUSE, openSUSE Leap, Percona Server, XtraDB Cluster, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***.
Severity: 2/4.
Creation date: 29/04/2015.
Identifiers: CERTFR-2015-AVI-281, CVE-2015-3152, DSA-3311-1, FEDORA-2015-10831, FEDORA-2015-10849, oCERT-2015-003, openSUSE-SU-2015:1216-1, openSUSE-SU-2015:2243-1, RHSA-2015:1646-01, RHSA-2015:1647-01, RHSA-2015:1665-01, SOL16845, SSA:2015-198-02, SUSE-SU-2015:1273-1, SUSE-SU-2016:1638-1, VIGILANCE-VUL-16761.

Description of the vulnerability

The MySQL client can communicate with the server through a TLS session.

The "--ssl" option of the client tries to setup a TLS session, but does not require it. This behavior is documented, however many administrators are not aware of this behavior.

An attacker can therefore act as a Man-in-the-Middle when the MySQL client asks for a TLS session, in order to read or alter exchanged data.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2015-2170 CVE-2015-2221 CVE-2015-2222

ClamAV: eight vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ClamAV.
Impacted products: ClamAV, Fedora, MBS, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 29/04/2015.
Identifiers: CERTFR-2015-AVI-199, CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, CVE-2015-2305, CVE-2015-2668, FEDORA-2015-7334, FEDORA-2015-7378, MDVSA-2015:221, openSUSE-SU-2015:0906-1, SUSE-SU-2016:1638-1, USN-2594-1, VIGILANCE-VUL-16759.

Description of the vulnerability

Several vulnerabilities were announced in ClamAV.

An attacker can generate an infinite loop with a y0da file, in order to trigger a denial of service. [severity:2/4; CVE-2015-2221]

An attacker can use a Petite Packed file, in order to trigger a denial of service. [severity:2/4; CVE-2015-2222]

An attacker can use a Upack Packed file, in order to trigger a denial of service. [severity:2/4]

An attacker can use a PE file, in order to trigger a denial of service. [severity:2/4]

An attacker can generate an infinite loop with an xz file, in order to trigger a denial of service. [severity:2/4; CVE-2015-2668]

An attacker can generate a buffer overflow in the regcomp() function of Henry Spencer regex, in order to trigger a denial of service, and possibly to execute code (VIGILANCE-VUL-16412). [severity:2/4; CVE-2015-2305]

An attacker can use an upx file, in order to trigger a denial of service. [severity:2/4; CVE-2015-2170]

An attacker can use an HTML file, in order to trigger a denial of service. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2015-1781

glibc: buffer overflow of gethostbyname_r

Synthesis of the vulnerability

An attacker can generate a buffer overflow in gethostbyname_r() of the glibc, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 21/04/2015.
Identifiers: 1199525, CVE-2015-1781, DSA-3480-1, FEDORA-2016-0480defc94, MDVSA-2015:218, openSUSE-SU-2015:0955-1, RHSA-2015:0863-01, RHSA-2015:2199-07, RHSA-2015:2589-01, SOL16865, SUSE-SU-2015:1424-1, SUSE-SU-2016:0470-1, USN-2985-1, USN-2985-2, VIGILANCE-VUL-16664.

Description of the vulnerability

The glibc library provides functions based on gethostbyname_r() (multi-thread) to obtain the IP address of a server from its DNS name.

However, if data is not memory aligned, an overflow occurs.

An attacker can therefore generate a buffer overflow in gethostbyname_r() of the glibc, in order to trigger a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-3340

Xen: information disclosure via XEN_DOMCTL_gettscinfo

Synthesis of the vulnerability

A local attacker can read a memory fragment via XEN_DOMCTL_gettscinfo or XEN_SYSCTL_getdomaininfolist of Xen, in order to obtain sensitive information.
Impacted products: Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, Xen.
Severity: 1/4.
Creation date: 21/04/2015.
Identifiers: CVE-2015-3340, DSA-3414-1, FEDORA-2015-6583, FEDORA-2015-6670, openSUSE-SU-2015:0983-1, openSUSE-SU-2015:1092-1, openSUSE-SU-2015:1094-1, SUSE-SU-2015:0923-1, SUSE-SU-2015:0940-1, SUSE-SU-2015:0944-1, VIGILANCE-VUL-16663, XSA-132.

Description of the vulnerability

The Xen product implements the XEN_DOMCTL_gettscinfo and XEN_SYSCTL_getdomaininfolist ioctls.

However, the two associated functions do not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via XEN_DOMCTL_gettscinfo or XEN_SYSCTL_getdomaininfolist of Xen, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-3339

Linux kernel: privilege escalation via chown/execve

Synthesis of the vulnerability

A local attacker can use an execve() during the chown() operation by the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 20/04/2015.
Identifiers: CERTFR-2015-AVI-198, CERTFR-2015-AVI-236, CERTFR-2015-AVI-357, CERTFR-2015-AVI-498, CVE-2015-3339, DSA-3237-1, FEDORA-2015-7736, FEDORA-2015-8518, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1272-01, RHSA-2015:2152-02, RHSA-2015:2411-01, SOL95345942, SUSE-SU-2015:1071-1, SUSE-SU-2015:1376-1, SUSE-SU-2016:2074-1, USN-2583-1, USN-2584-1, USN-2596-1, USN-2597-1, USN-2597-2, USN-2598-1, USN-2598-2, USN-2599-1, USN-2599-2, USN-2600-1, USN-2600-2, USN-2601-1, USN-2612-1, VIGILANCE-VUL-16653.

Description of the vulnerability

The chown() system call changes the owner of a file. If this file had the suid/sgid bit, then chown() removes it, using an inode mutex to temporarily lock the access during the operation.

However, the execve() system call does not use this mutex. So, there is a time frame when the file is still suid/sgid, and is owned by the new user.

A local attacker can therefore use an execve() during the chown() operation by the Linux kernel, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-2783 CVE-2015-3329 CVE-2015-3330

PHP 5.5: nine vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.5.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, MBS, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 17/04/2015.
Revision date: 17/04/2015.
Identifiers: 69152, 69218, 69227, 69316, 69324, 69337, 69353, 69441, bulletinjul2015, c04686230, CERTFR-2015-AVI-187, CVE-2015-2783, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, DSA-3280-1, FEDORA-2015-6399, HPSBUX03337, MDVSA-2015:209, RHSA-2015:1135-01, RHSA-2015:1186-01, RHSA-2015:1218-01, SOL17028, SOL17061, SSRT102066, SUSE-SU-2015:0868-1, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2572-1, USN-2658-1, VIGILANCE-VUL-16646.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.5.

An attacker can use apache2handler, in order to execute code. [severity:3/4; 69218, CVE-2015-3330]

An attacker can use a type error in exception::getTraceAsString, in order to obtain sensitive information. [severity:2/4; 69152, CVE-2015-4599]

An attacker can generate a memory corruption in php_stream_url_wrap_http_ex, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69337]

An attacker can use the null character, in order to access to other files. [severity:2/4; 69353, CVE-2015-3411, CVE-2015-3412]

An attacker can force the usage of a freed memory area in php_curl, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69316]

An attacker can force a read at an invalid address in Phar, in order to trigger a denial of service. [severity:2/4; 69324, CVE-2015-2783]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

An attacker can force the usage of a freed memory area in zval_scan, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69227]

An attacker can use a type error in SoapFault unserialize(), in order to obtain sensitive information. [severity:2/4; CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SLES: